1. Field of the Invention
Embodiments of the present invention generally relate to computer network security systems and, more particularly, to a method and apparatus for securing computer systems from domain name abuse by identifying a legitimate domain name being imitated a cousin domain.
2. Description of the Related Art
Today many business and personal transactions occur through a computer and the Internet. Fraudsters (e.g., Spammers, phishers, hackers and the like) employ one or more techniques to illegally disrupt operations at the computer and/or obtain personal user information. For example, the fraudsters entice Internet users to navigate to fake web sites that resemble legitimate web sites (e.g., spoofed web sites) in order to obtain passwords and/or financial account information and/or infect the computer with malware, viruses or other web-based threats. Moreover, the fraudsters may use phishing techniques to set up convincing spoofs of the legitimate web sites to scam Internet users. The Internet users are tricked into entering personal information such as a credit card number, an account password and a social security number because the spoofed web site is designed to look exactly like the legitimate web site. Furthermore, the spoofed web site may be designed using the components and patterns from the legitimate web site.
Similarities between various character symbols (e.g., between letters or groups of letters (e.g., ‘w’ resembles ‘vv’), between letters and punctuation marks (e.g., a pipe symbol (‘|’) resembles ‘I’ and a dollar symbol (‘$’) resembles ‘S’) and the like) may be exploited to disguise the domain name of the malicious web site by imitating the actual domain name of the legitimate web site. For example, the Internet users may not notice subtle visual differences between the character symbols and accidently click on a link for “www.vvellsfargo.com” due to the resemblance with the legitimate web site “www.wellsfargo.com”. Sometimes, punctuation marks in the domain name may go undetected. For example, punctuation mark “!” resembles the number “1” and the letter “I” and may be overlooked by most Internet users.
Occasionally, the fraudsters may employ such look-alike characters to exploit certain visual characteristics of the actual domain names (e.g., wellsfargo.com) of the legitimate web sites in order to disguise cousin domain names (e.g., vvellsfargo.com) of the malicious web sites from current web-based fraud detection techniques. Generally, a cousin domain name comprises one or more look-alike characters that appear exactly like one or more characters of the legitimate domain name. Accordingly, the fraudster may register the cousin domain name (e.g., vvellsfargo.com) for the malicious web site.
Current spam and phish detection techniques may not operate properly if imitation or look-alike character symbols are employed by the fraudster. Such detection techniques may not recognize a string of characters “vvellsfargo.com” as the domain name for the legitimate web site “wellsfargo.com” and, as a result, will not block the web page or the email sent to the user having such a string. Consequently, “vvellsfargo.com” will be treated as an acceptable, legitimate domain name for a web site of a brand on the Internet by the current detection techniques.
Therefore, there is a need in the art for a method and apparatus for identifying a legitimate domain name being imitated by a cousin domain name to support web-based fraud detection.